iTWire recently had an opportunity to chat with Ryan Kalember, Executive Vice President of Cybersecurity Strategy at Proofpoint about this growth area in IT security and was interested to hear his thoughts on how it works and what we can do to defend ourselves.
iTWire: Let's start by defining 'business email compromise.'
Kalember: Business Email Compromise or 'BEC' refers to an email scam that targets specific people in an organisation and relies on social engineering tactics. It's used either to steal money, data or other confidential employee information. It happens when the scammer poses as a trusted individual with a legitimate business request. They are aimed at specific individuals, sent in low volume and are highly targeted in their approach.
iTWire: So, clearly there's no 'one size fits all' attack or defence
Kalember: No you're right, there isn't. The scams are hard to identify and may seem part of any legitimate day-to-day request to the target. Scammers, who want to circumvent tight network controls, research the best ways to take advantage of human vulnerabilities, which is why these email impersonations rely heavily on social engineering tactics. Some different examples of BEC attacks could be a scammer impersonating a CEO and asking employees in the finance department to transfer funds to a new account or a malicious email spoofing someone from the HR department and asking an employee to submit personal information. The fact they look so legitimate is what makes them successful as most people are unlikely to turn down a request from the person they believe to be in a position of authority.
iTWire: You said recently that in 2020, over 50% of Proofpoint enterprise customers have had some VIP impersonated. I assume you're not suggesting a degree of success! Do you have any insight into success rates?
Kalember: Correct, that's a figure of the attempts, not the success rate. Our research shows that since March 2020, over 7,000 CEOs or other executives have been impersonated. We recently looked at a 90-day period between June and September and found that the average CEO has been impersonated 102 times!
The research we have is based on attacks that Proofpoint has successfully blocked so we don't have insights into the number of successful attacks. However, research last year from the FBI states that attacks have cost businesses upwards of US$26 billion worldwide since 2016 and the average attack nets the attacker US$130,000. These kinds of numbers mean that more money is lost to this type of attack than any other cyber criminal activity.
iTWire: Following from that, clearly you've seen a significant number of examples. What are the techniques (by the bad dudes) that seem to have greater success? And thus, where do we need to target increased training?
Kalember: Two of the most recent examples we've seen being leveraged by attackers are what we call gift card scams and payroll diversion scams. A gift card scam will involve attackers attempting to convince the target victim to send money to them using popular retail gift cards rather than through wire transfers. This is a quick and easy way for scammers to get money from their targeted victims because the victims don't have to navigate complicated wire transfer instructions, they just go and purchase gift cards from well-known and trusted retailers.
The use of gift cards is also generally less well known than wire transfers or other forms of payment, which unfortunately gives it a higher chance of success. Practically, this scam works like any other BEC scam, often we see someone impersonating a high-ranking individual within a business, requesting a staff member purchase gift cards for a vendor or client and being told they will be reimbursed.
(as an aside, this is why there are scam warnings about purchasing gift cards at most card retailers - we've certainly seen them at supermarkets and other outlets close by)
In the case of payroll scams, the attackers target the payroll process of a company and attempt to redirect legitimate payroll payments from their intended destination accounts to accounts under the attacker's control. These need to be extremely targeted in their approach because they need to identify someone within the HR or finance team that will have access and permissions to financial information.
Both of these types of scams require the attackers to invest time and energy into intelligence gathering prior to launching their attack, which is part of the reason that these attacks are so successful. There is a lot of time and planning that goes into making sure they are extremely targeted and hard to detect.
iTWire: Of course, services such as Proofpoint's will repel most of these attacks, but there are too many organisations who don't recognise the need or the value of what you (and fellow suppliers) offer.
Kalember: You only have to look at some of the figures we've discussed to see just how much money is lost to these types of scams every year and how big a threat they are to organisations and their employees.
The rise in all types of cyber scams has been well reported throughout the COVID-19 pandemic and shows no signs of slowing down. In fact, the latest phishing stats from the ACCC (Australian Competition and Consumer Commission) show an all-time high in the number of phishing scams reported in September 2020.
For businesses however, the risks associated with Business Email Compromise are sometimes not grasped until it's too late. We can only continue to educate about the risks involved and how those threats can be dealt with best by prioritizing a people-centric approach to security that focuses on protecting employees against social engineering attacks.
iTWire: Who is perpetrating these attacks? Are there any consistent themes?
Kalember: While it's always difficult to say exactly who it is that's carrying out attacks, there are good reasons to believe that BEC threat actors are a distinct type of criminal that differ from those leveraging something like ransomware for example.
BEC is all about social engineering, where the attacker preys on the victim's emotions in order to get them to take some kind of action benefitting the attacker. Manipulating trust by posing as a known individual to the victim and disguising emails as belonging to organisations are examples of the most common social engineering tactics/themes we witness regularly.
Some of our recent research shows cybercriminals taking advantage of the shift to remote working, by crafting attacks that leverage online collaboration tools: we have seen credential phishing campaigns targeting Zoom and Webex users back in April, and recent analysis shows that people are four times more likely to click a malicious link if it's addressed 'SharePoint' and 11 times more likely to click on 'OneDrive' malicious links.
iTWire: Is a BEC attack isolated, or does it form part of a chain that (perhaps) includes Ransomware or similar. I recall hearing of DDoS attacks to make it difficult for someone to confirm a transaction and thus making them more likely to proceed.
Kalember: BEC is often intertwined with EAC or Email Account Compromise, a highly sophisticated attack in which threat actors use various tactics, such as password spray, phishing, malware, to compromise victims' email accounts, gaining access to legitimate mailboxes.
Think of EAC as the ultimate impersonation tactic: attackers hijack an email account to essentially become the person it belongs to. And critically, EAC attacks bypass many email authentication controls.
Once attackers gain legitimate access to the target's email account, they have access to a treasure trove of information—email, calendar, key meetings with suppliers or customers, corporate directory, and even files in the file shares—to profile their victim. More importantly, attackers maintain access by creating email forwarding rules or changing account permissions, so they can closely monitor the victim and study the business. They mimic the victim, craft very convincing and timely messages using the knowledge they gain to send email at the opportune time.
Once they have unauthorized access, attackers can launch email fraud scams internally or externally with your suppliers and partners, as well as credential phish and malware attacks. They also use the compromised accounts to host malware and phishing links to attack unrelated organisations.
In the case of EAC, there are almost always two victims - the person whose email account got compromised, and the other person who falls for the fraudulent request from the compromised email account.
iTWire: Finally, what advice would you give to someone who is suspicious of an email; that it may be a BEC?
Kalember: If someone is suspicious of an email they receive they should check for some of the common signs of a BEC scam. These include high level executives asking for unusual information and requests not to communicate something with others or to bypass the usual channels or processes in place. Language issues and spelling/grammatical errors are also things that suggest something might not be right as well as email domains or 'reply to' addresses that don't match that of the sender.
If someone is suspicious, they shouldn't feel bad about asking for further clarification, checking with a colleague or friend or reporting it to an IT team. Those are all better options than potentially falling victim to a scam and incurring a financial loss.
We also recommend that organisations prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against BEC scams, as well as others. This includes email authentication and dynamic email classification. We also recommend layered defences at the network edge, email gateway, in the cloud, and at the endpoint, along with tailored end user education and awareness to provide the best defence against these types of attacks that prey on human nature.
With the shift to remote work that has taken place this year, extra vigilance is required as employees may not be protected in the same way as they were in the office. We always encourage remote workers to connect with their IT departments if there are processes, protocols or online tools they are unfamiliar to avoid falling victims to social engineering attacks.
iTWire: Well that seems like a great place to stop, so thank you very much for your time.
Kalember: Thank you.